教程:亚马逊 OpenSearch 无服务器 (CLI) 安全入门 - 亚马逊 OpenSearch 服务
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

教程:亚马逊 OpenSearch 无服务器 (CLI) 安全入门

为了安全起见,本教程将引导您完成控制台入门教程中描述的步骤,但使用Amazon CLI的是而不是 OpenSearch 服务控制台。

在本教程中,您将完成以下步骤:

  1. 创建 IAM 权限策略

  2. 将 IAM policy 附到 IAM 角色上

  3. 创建加密策略

  4. 创建网络策略

  5. 创建集合

  6. 配置数据访问策略

  7. 检索集合端点

  8. 将数据上载到您的连接

  9. 在您的连接中搜索数据

本教程的目标是使用相当简单的加密、网络和数据访问设置来设置单个 OpenSearch Serverless 集合。例如,我们将配置公共网络访问、用于加密的 Amazon 托管式密钥,以及向单个用户授予最低权限的简化数据访问策略。

在生产场景中,应考虑实施更强大的配置,包括 SAML 身份验证、自定义加密密钥和 VPC 访问权限。

开始使用 OpenSearch 无服务器中的安全策略
  1. 注意

    如果您已经在使用更广泛的基于身份的策略,如 Action":"aoss:*"Action":"*",则可以跳过此步骤。但在生产环境中,建议您遵循最低权限原则,仅分配完成任务所需的最低权限。

    首先,创建一个 Amazon Identity and Access Management 策略,该策略拥有执行本教程中的步骤所需的最低权限。我们将该策略命名为 TutorialPolicy

    aws iam create-policy \ --policy-name TutorialPolicy \ --policy-document "{\"Version\": \"2012-10-17\",\"Statement\": [{\"Action\": [\"aoss:ListCollections\",\"aoss:BatchGetCollection\",\"aoss:CreateCollection\",\"aoss:CreateSecurityPolicy\",\"aoss:GetSecurityPolicy\",\"aoss:ListSecurityPolicies\",\"aoss:CreateAccessPolicy\",\"aoss:GetAccessPolicy\",\"aoss:ListAccessPolicies\"],\"Effect\": \"Allow\",\"Resource\": \"*\"}]}"

    示例响应

    { "Policy": { "PolicyName": "TutorialPolicy", "PolicyId": "ANPAW6WRAECKG6QJWUV7U", "Arn": "arn:aws:iam::123456789012:policy/TutorialPolicy", "Path": "/", "DefaultVersionId": "v1", "AttachmentCount": 0, "PermissionsBoundaryUsageCount": 0, "IsAttachable": true, "CreateDate": "2022-10-16T20:57:18+00:00", "UpdateDate": "2022-10-16T20:57:18+00:00" } }
  2. TutorialPolicy 附加到 IAM 角色,该角色将在集合中索引并搜索数据。我们将该用户命名为 TutorialRole

    aws iam attach-role-policy \ --role-name TutorialRole \ --policy-arn arn:aws:iam::123456789012:policy/TutorialPolicy
  3. 在创建集合之前,您需要创建加密策略,该策略要将 Amazon 拥有的密钥分配给您会在后续步骤中创建的 books(书籍)集合。

    发送以下请求,为 books(书籍)集合创建加密策略:

    aws opensearchserverless create-security-policy \ --name books-policy \ --type encryption --policy "{\"Rules\":[{\"ResourceType\":\"collection\",\"Resource\":[\"collection\/books\"]}],\"AWSOwnedKey\":true}"

    示例响应

    { "securityPolicyDetail": { "type": "encryption", "name": "books-policy", "policyVersion": "MTY2OTI0MDAwNTk5MF8x", "policy": { "Rules": [ { "Resource": [ "collection/books" ], "ResourceType": "collection" } ], "AWSOwnedKey": true }, "createdDate": 1669240005990, "lastModifiedDate": 1669240005990 } }
  4. 创建网络策略,该策略将提供针对 books(书籍)集合的公共访问权限:

    aws opensearchserverless create-security-policy --name books-policy --type network \ --policy "[{\"Description\":\"Public access for books collection\",\"Rules\":[{\"ResourceType\":\"dashboard\",\"Resource\":[\"collection\/books\"]},{\"ResourceType\":\"collection\",\"Resource\":[\"collection\/books\"]}],\"AllowFromPublic\":true}]"

    示例响应

    { "securityPolicyDetail": { "type": "network", "name": "books-policy", "policyVersion": "MTY2OTI0MDI1Njk1NV8x", "policy": [ { "Rules": [ { "Resource": [ "collection/books" ], "ResourceType": "dashboard" }, { "Resource": [ "collection/books" ], "ResourceType": "collection" } ], "AllowFromPublic": true, "Description": "Public access for books collection" } ], "createdDate": 1669240256955, "lastModifiedDate": 1669240256955 } }
  5. 创建 books(书籍)集合:

    aws opensearchserverless create-collection --name books --type SEARCH

    示例响应

    { "createCollectionDetail": { "id": "8kw362bpwg4gx9b2f6e0", "name": "books", "status": "CREATING", "type": "SEARCH", "arn": "arn:aws:aoss:us-east-1:123456789012:collection/8kw362bpwg4gx9b2f6e0", "kmsKeyArn": "auto", "createdDate": 1669240325037, "lastModifiedDate": 1669240325037 } }
  6. 创建数据访问策略,该策略将提供索引和搜索 books(书籍)集合中的数据的最低权限。将主体 ARN 替换为步骤 1 中 TutorialRole 的 ARN:

    aws opensearchserverless create-access-policy \ --name books-policy \ --type data \ --policy "[{\"Rules\":[{\"ResourceType\":\"index\",\"Resource\":[\"index\/books\/books-index\"],\"Permission\":[\"aoss:CreateIndex\",\"aoss:DescribeIndex\",\"aoss:ReadDocument\",\"aoss:WriteDocument\",\"aoss:UpdateIndex\",\"aoss:DeleteIndex\"]}],\"Principal\":[\"arn:aws:iam::123456789012:role\/TutorialRole\"]}]"

    示例响应

    { "accessPolicyDetail": { "type": "data", "name": "books-policy", "policyVersion": "MTY2OTI0MDM5NDY1M18x", "policy": [ { "Rules": [ { "Resource": [ "index/books/books-index" ], "Permission": [ "aoss:CreateIndex", "aoss:DescribeIndex", "aoss:ReadDocument", "aoss:WriteDocument", "aoss:UpdateDocument", "aoss:DeleteDocument" ], "ResourceType": "index" } ], "Principal": [ "arn:aws:iam::123456789012:role/TutorialRole" ] } ], "createdDate": 1669240394653, "lastModifiedDate": 1669240394653 } }

    现在,TutorialRole 应该能够索引和搜索 books(书籍)集合中的文档。

  7. 要调用 OpenSearch API,您需要收集端点。发送以下请求以检索 collectionEndpoint 参数:

    aws opensearchserverless batch-get-collection --names books

    示例响应

    { "collectionDetails": [ { "id": "8kw362bpwg4gx9b2f6e0", "name": "books", "status": "ACTIVE", "type": "SEARCH", "description": "", "arn": "arn:aws:aoss:us-east-1:123456789012:collection/8kw362bpwg4gx9b2f6e0", "createdDate": 1665765327107, "collectionEndpoint": "https://8kw362bpwg4gx9b2f6e0.us-east-1.aoss.amazonaws.com", "dashboardEndpoint": "https://8kw362bpwg4gx9b2f6e0.us-east-1.aoss.amazonaws.com/_dashboards" } ], "collectionErrorDetails": [] }
    注意

    在集合状态更改为 ACTIVE 之前,您将无法看到集合端点。在成功创建集合之前,可能需要进行多次调用以检查状态。

  8. 使用 Postman 或 curl 等 HTTP 工具,将数据索引到 books(书籍)集合中。我们将创建一个名为 books-index 的索引,并添加一个文档。

    使用 TutorialRole 的凭证,将以下请求发送到您在上一步中检索到的集合端点。

    PUT https://8kw362bpwg4gx9b2f6e0.us-east-1.aoss.amazonaws.com/books-index/_doc/1 { "title": "The Shining", "author": "Stephen King", "year": 1977 }

    示例响应

    { "_index" : "books-index", "_id" : "1", "_version" : 1, "result" : "created", "_shards" : { "total" : 0, "successful" : 0, "failed" : 0 }, "_seq_no" : 0, "_primary_term" : 0 }
  9. 要开始搜索您的集合中的数据,请使用搜索 API。以下查询将执行基本搜索:

    GET https://8kw362bpwg4gx9b2f6e0.us-east-1.aoss.amazonaws.com/books-index/_search

    示例响应

    { "took": 405, "timed_out": false, "_shards": { "total": 6, "successful": 6, "skipped": 0, "failed": 0 }, "hits": { "total": { "value": 2, "relation": "eq" }, "max_score": 1.0, "hits": [ { "_index": "books-index:0::3xJq14MBUaOS0wL26UU9:0", "_id": "F_bt4oMBLle5pYmm5q4T", "_score": 1.0, "_source": { "title": "The Shining", "author": "Stephen King", "year": 1977 } } ] } }